ℹ️ This project is forked and based on weareinteractive/ansible-ufw. It has the same license and contains some tweaks we made to improve the tool in general or make it work better with our infrastructure.
Feel free to use it, fork it or base your own work on it.
ansible-ufwis an Ansible role which:
- installs ufw
- configures ufw
- configures ufw rules
- configures service
This is a fork from weareinteractive/ansible-ufw
Using requirements.yml:
- src: git+ssh://git@github.com:trustedshops/ansible-ufw.gitUsing git:
$ git clone git@github.com:trustedshops/ansible-ufw.git- Ansible >= 2.10
Here is a list of all the default variables for this role, which are also available in defaults/main.yml.
---
# Start the service and enable it on system boot
ufw_enabled: true
# Reset all of the ufw rules
ufw_reset: false
# List of packages to install
ufw_packages: ["ufw"]
# The service name
ufw_service: ufw
# List of rules to be applied
# see https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html for documentation
ufw_rules:
- rule: allow
to_port: 22
# Manage the configuration file
ufw_manage_config: false
# Configuration object passed to the configuration file
ufw_config:
IPV6: "yes"
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: "no"
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ""
# Path to the configuration file
ufw_config_file: /etc/default/ufw
These are the handlers that are defined in handlers/main.yml.
---
- name: reset ufw
community.general.ufw:
state: reset
- name: reload ufw
community.general.ufw:
state: reloaded
when: ufw_enabled | bool
This is an example playbook:
# @see https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html#examples
---
- hosts: all
become: true
roles:
- weareinteractive.ufw
vars:
ufw_rules:
# Set loggin
- logging: "full"
# Allow OpenSSH
- rule: allow
name: OpenSSH
# Delete OpenSSH rule
- rule: allow
name: OpenSSH
delete: true
# Allow all access to tcp port 80
- rule: allow
to_port: '80'
proto: tcp
# Manage the configuration file
ufw_manage_config: true
# Configuration object passed to the configuration file
ufw_config:
IPV6: "yes"
DEFAULT_INPUT_POLICY: DROP
DEFAULT_OUTPUT_POLICY: ACCEPT
DEFAULT_FORWARD_POLICY: DROP
DEFAULT_APPLICATION_POLICY: SKIP
MANAGE_BUILTINS: "no"
IPT_SYSCTL: /etc/ufw/sysctl.conf
IPT_MODULES: ""
$ git clone https://github.com/weareinteractive/ansible-ufw.git
$ cd ansible-ufw
$ make testIn lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
Note: To update the README.md file please install and run ansible-readme:
$ gem install ansible-readme
$ ansible-readmeCopyright (c) We Are Interactive, Trusted Shops AG under the MIT license.